Spiegel von
https://github.com/dani-garcia/vaultwarden.git
synchronisiert 2024-11-29 06:20:29 +01:00
Escape user data from admin panel when calling JS
Dieser Commit ist enthalten in:
Ursprung
a744b9437a
Commit
d7eeaaf249
2 geänderte Dateien mit 34 neuen und 5 gelöschten Zeilen
|
@ -423,7 +423,9 @@ fn load_templates(path: &str) -> Handlebars {
|
||||||
let mut hb = Handlebars::new();
|
let mut hb = Handlebars::new();
|
||||||
// Error on missing params
|
// Error on missing params
|
||||||
hb.set_strict_mode(true);
|
hb.set_strict_mode(true);
|
||||||
|
// Register helpers
|
||||||
hb.register_helper("case", Box::new(CaseHelper));
|
hb.register_helper("case", Box::new(CaseHelper));
|
||||||
|
hb.register_helper("jsesc", Box::new(JsEscapeHelper));
|
||||||
|
|
||||||
macro_rules! reg {
|
macro_rules! reg {
|
||||||
($name:expr) => {{
|
($name:expr) => {{
|
||||||
|
@ -455,7 +457,6 @@ fn load_templates(path: &str) -> Handlebars {
|
||||||
hb
|
hb
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Clone, Copy)]
|
|
||||||
pub struct CaseHelper;
|
pub struct CaseHelper;
|
||||||
|
|
||||||
impl HelperDef for CaseHelper {
|
impl HelperDef for CaseHelper {
|
||||||
|
@ -479,3 +480,31 @@ impl HelperDef for CaseHelper {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub struct JsEscapeHelper;
|
||||||
|
|
||||||
|
impl HelperDef for JsEscapeHelper {
|
||||||
|
fn call<'reg: 'rc, 'rc>(
|
||||||
|
&self,
|
||||||
|
h: &Helper<'reg, 'rc>,
|
||||||
|
_: &'reg Handlebars,
|
||||||
|
_: &Context,
|
||||||
|
_: &mut RenderContext<'reg>,
|
||||||
|
out: &mut Output,
|
||||||
|
) -> HelperResult {
|
||||||
|
let param = h
|
||||||
|
.param(0)
|
||||||
|
.ok_or_else(|| RenderError::new("Param not found for helper \"js_escape\""))?;
|
||||||
|
|
||||||
|
let value = param
|
||||||
|
.value()
|
||||||
|
.as_str()
|
||||||
|
.ok_or_else(|| RenderError::new("Param for helper \"js_escape\" is not a String"))?;
|
||||||
|
|
||||||
|
let escaped_value = value.replace('\\', "").replace('\'', "\\x22").replace('\"', "\\x27");
|
||||||
|
let quoted_value = format!(""{}"", escaped_value);
|
||||||
|
|
||||||
|
out.write("ed_value)?;
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -27,8 +27,8 @@
|
||||||
</span>
|
</span>
|
||||||
</div>
|
</div>
|
||||||
<div style="flex: 0 0 240px;">
|
<div style="flex: 0 0 240px;">
|
||||||
<a class="mr-3" href="#" onclick='deauthUser("{{Id}}")'>Deauthorize sessions</a>
|
<a class="mr-3" href="#" onclick='deauthUser({{jsesc Id}})'>Deauthorize sessions</a>
|
||||||
<a class="mr-3" href="#" onclick='deleteUser("{{Id}}", "{{Email}}")'>Delete User</a>
|
<a class="mr-3" href="#" onclick='deleteUser({{jsesc Id}}, {{jsesc Email}})'>Delete User</a>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
@ -101,7 +101,7 @@
|
||||||
{{/if}}
|
{{/if}}
|
||||||
{{/each}}
|
{{/each}}
|
||||||
<button type="submit" class="btn btn-primary">Save</button>
|
<button type="submit" class="btn btn-primary">Save</button>
|
||||||
<button type="button" class="btn btn-danger float-right" onclick="deleteConfig();">Reset defaults</button>
|
<button type="button" class="btn btn-danger float-right" onclick="deleteConf();">Reset defaults</button>
|
||||||
</form>
|
</form>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
@ -192,7 +192,7 @@
|
||||||
"Error saving config", data);
|
"Error saving config", data);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
function deleteConfig() {
|
function deleteConf() {
|
||||||
var input = prompt("This will remove all user configurations, and restore the defaults and the " +
|
var input = prompt("This will remove all user configurations, and restore the defaults and the " +
|
||||||
"values set by the environment. This operation could be dangerous. Type 'DELETE' to proceed:");
|
"values set by the environment. This operation could be dangerous. Type 'DELETE' to proceed:");
|
||||||
if (input === "DELETE") {
|
if (input === "DELETE") {
|
||||||
|
|
Laden …
In neuem Issue referenzieren